News Archives

Monday, October 19, 2015

What the Art 29 WP Guidance Doesn’t Say

On October 16, 2015, the Article 29 Working Party issued a
highly-anticipated statement on the implementation of the CJEU Maximilian Schrems v Data Protection
Commissioner case. From the
perspective of companies that relied upon Safe Harbor as their sole legal basis
for importing personal data from Europe, and currently lack and are unable to
quickly utilize an alternate mechanism, the statement is as notable for
questions not addressed as for those
that were taken on.

Here are five questions that the Article 20 Working Party statement doesn’t address for these companies.

With respect to data transferred before October 6, 2015:

1. Can the data continue to be held, as opposed to being immediately
deleted?

2. If yes, can it continue to be used for the legitimate purposes for
which it was collected and transferred?

3. If yes again, can it be updated via a new transfer, even in the
absence of an alternate mechanism, if it is in the data subject’s interest to
do so?

In general:

4. Should there be a grace period, during which new data transfers under
Safe Harbor may occur while a company transitions to implementation of an
alternate mechanism?

5. Should references to Safe Harbor in privacy policies, notices and
websites be amended immediately?

What is to be made of the fact that the Working Party is silent on these
topics? It may be that the magnitude of
the sudden shift in the EU DP acquis
caused by the Schrems ruling renders
any attempt to formulate answers to these questions too complex and fraught
with legal uncertainty. What was lawful
one day became unlawful the next, but only on one side of the Atlantic. Furthermore, the focus is an unprecedented quasi-legal
framework created out of thin air through political negotiation and
agreement. It may also be the case that
taking into consideration the uncertainty the Working Party acknowledges as to
the post-Schrems viability of
alternate transfer mechanisms, that they believe it best to defer questions
about how one unravels previously acceptable mechanisms to a later time when
the bigger picture has been brought into focus.
Or the Working Party may have had intense discussions about these
questions and concluded that they are best answered on a case-by-case basis by
individual DPAs. The need to produce a statement that reflects
a consensus or common position of all the DPAs may have played a determinative role
as well.

Whatever the factors underlying the limited focus of the Working Party’s
October 16 statement, it remains striking that a document professing to discuss
the implementation of a judicial ruling invalidating the Safe Harbor framework
has so little practical guidance to provide to thousands of Safe Harbor
companies about their current data processing activities.

My own thoughts on these questions are that one has to begin by distinguishing
between legal obligations that apply to European companies and those that apply
to US companies. Since Safe Harbor was
designed to bridge the gap that exists, it is not surprising that its demise
yields quite divergent answers depending upon the jurisdiction a company is
located in.

At the same time, this division of applicable law by jurisdiction does not
apply to Safe Harbor companies with respect to transfers of human resources
data. According to the sixth paragraph
of the Safe Harbor Privacy Principles “U.S. law will apply to questions of
interpretation and compliance with the Safe Harbor Principles….except where
organizations have committed to cooperate with European Data Protection
Authorities.” Making such a commitment is
mandatory under Safe Harbor when it comes to HR data. Consequently, what follows holds only for
non-HR data, or for HR data in situations in which the DPAs have not intervened.

Here is my analysis:

With respect to data transferred before October 6, 2015:

1. Under European DP law, a good case can be made that the data must be
deleted immediately, along the lines that even storage of data is a form of
data processing under the Directive and that no legal ground exists post-Schrems to engage in such
processing. At the same time, a counter
argument could be made that the CJEU Schrems
ruling only applies to transfers going forward and doesn’t address the past or
current legitimacy of data processing activities that were lawful when
initiated. In addition, immediate
deletion could have serious unintended consequences for data subjects, such as for
those who have paid for products to be delivered or for surgery to be performed
remotely by companies reliant upon Safe Harbor.

Under US law, the situation is less ambiguous. A company should be able to retain pre-Schrems data. While companies are explicitly required by
FAQ 6 to delete transferred data if they leave the Safe Harbor program, there
is nothing in the text of the Safe Harbor documents that addresses whether
transferred data can or cannot continue to be held if the program itself ceases
to exist. The FTC would have grounds to
take enforcement action against a company that fails to continue to apply the
Safe Harbor privacy principles and FAQs to the transferred data. However, I see no basis under which the FTC
could take action against a company solely for failing to delete Safe Harbor
data in light of the CJEU ruling.

2. Under European law, the answer to the questions as to whether data
transferred before October 6, 2015 can continue to be used for the legitimate
purposes for which it was collected and transferred would likely follow the
answer to the previous question about storage. It should be noted that the CJEU did not find
that Safe Harbor companies were using transferred data in illegitimate ways,
rather that the US government was doing so, by virtue of its indiscriminate
mass surveillance with no access and correction rights or recourse for data
subjects. It would not be surprising if some
DPAs would be amenable to allowing the continued use of pre-Schrems data, at least in some cases and
for some periods of time.

Under US law, a Safe Harbor company should be able to use pre-Schrems data as long as it continues to apply
the Safe Harbor Privacy Principles and FAQs to its handling of the data.

3. Under European law, the CJEU
ruling makes crystal clear that new
data transfers cannot be made lawfully on the basis of Safe Harbor participation,
whether on an interim or a long-term basis.
At the same time, if the grounds for allowing pre-Schrems data to continue to be used described above are persuasive,
would they not remain so if a new
data transfer was only an update of data previously supplied, such as a change
in shipping address or a request for data subject access? One begins to sense a
slippery slope with this line of argument, yet some DPAs might weight the
interests of data subjects and decide to look the other way and focus on more
consequential matters.

US law, on the other hand, contains no prohibitions against receipt of
data from Europe without the protections required by European law. While a
European company is now legally prohibited from exporting personal data on the
basis of Safe Harbor, no such strictures apply on the receiving side.

In general:

4. Given the unequivocal rejection of Safe Harbor as a basis for new data
transfers by the CJEU, it was probably a pipe dream to imagine that the Working
Party could find a way to allow for a grace period that would allow Safe Harbor
data exporters and importers to continue business as usual until an alternate
transfer mechanism was developed and in place. The best that can now be hoped in this regard
is that individual DPAs will allow an unspoken de facto grace period to come
into existence.

On the US side, the fact that the US Department of Commerce has adopted the position that Safe
Harbor remains open for business (see http://export.gov/safeharbor/
and my blog),
however, bizarre and indefensible that may be, would appear to encourage new
data transfers from European companies willing to overlook the legalities
involved or from European consumers who may be unaware of the CJEU ruling or
its significance.

5. By anyone’s standards, be they European or American, it would be both unethical
and a violation of law to not amend
policies, notices or websites that reference Safe Harbor and thereby fail to
inform European data subjects that the program said to ensure protection for
their US-bound data has been ruled invalid and ineffective by Europe’s top
court. The adequacy of notice provided to data subjects is fundamental both in
European DP law and in the more narrow Notice-and-Choice approach to privacy
protection found in the US and in the Safe Harbor Privacy Principles. Furthermore, given the indispensability of transparency,
such amendments should also address, at a minimum, what is being done with previously
transferred data, what the company is doing about new transfers and what options
the data subject has in this new regulatory environment.

So there you have it. We have
received regulatory guidance that either ducks the difficult responsibility of
explaining how to apply the Schrems ruling
to the real world or farms that responsibility out to dozens of DPAs to sort
out on their own on a case-by-case basis.